Estimated reading time: 2 minutes

ATO | BEC | Onsite Incident Response | Account Take Over | Business Email Compromise | Hoyt LLC
ATO | BEC | Onsite Incident Response | Account Take Over | Business Email Compromise | Hoyt LLC
>> Home » Blog » ATO

Executive Summary

If you are a US-based Company needing immediate Incident Response Services for your M365 Tenant or Unix Servers please DM 7x24x365.


In the normal course of business, your Company may be affected by an ATO BEC (Account Take Over | Business Email Compromise) of your Microsoft 365 Tenant and/or Unix Servers. I provide immediate on-site and remote Incident Response Services.

Monte Carlo Outcome

The Threat Actors often produce a Monte Carlo outcome. Typical actions are sending Emails to your Vendors and Client Base for Monetization. Expect that during an ATO & BEC the Attackers will likely modify sensitive files and conduct financial operations on behalf of the company. You should also investigate domain registration and workload submission.

ATO BEC Response Plan

  • Retain the Response Attorney [RA]
    • Contact me
    • Create an Global Admin Account (GAA) for RA
    • Partner retains me as Agent for GAA
    • Analysis begins immediately upon receipt of GAA
  • RA is the Manager for the DFIR Response
    • RA Retains the Engagement Teams
  • RA is Point of Contact for:
    • LEO’s
    • AGO’s
    • Insurance Carriers
    • Other Interested Parties
  • RA manages the Event Mitigation & Remediation
  • RA manages the Implementation of Best Practice
  • RA manages the Notification of Affected Persons
  • RA manages all Legal & Regulatory Filings


MultiFactor Authentication

Implemention for MultiFactor Authentication (MFA) and/or Phishing Resistant MFA will be completed in 1 business day using Conditional Access for your Microsoft 365 Tenant. Best Practice involves user access & authorization based on conditional access policies to bring signals together, to make decisions, and enforce policy.

Written Information Security Policy

The RA will deliver the required Written Information Security Policy (WISP) based on the State(s) that your Client(s) reside. Sensitive informaton such as Social Security Numbers, credit and debit card numbers, and bank account information must be kept confidential and secure under law and require this written information security policy.

Notification Process

The RA will discuss the AGO Notification Process and initiate contact with the necessary legal and regulatory authorities.

Onsite & Remote Services

Onsite & Remote Services begin upon your retention of your Breach Response Attorney. Please contact me for an introduction. The imediate goals are to ingest all Digital Forensics, conduct Incident Response and implement Best Practice while commencing the Notification Process.

We are available 7x24x365.